writeup for last human challange in Digital Forensics CTF by CyberTalents
Posted by
0xHasanM
on November 29, 2020 ·
3 mins read
Description
This Stream is so weird, looking something hidden here!!
Diffculity: Hard
Walkthrough
Challange is a wave file with high pitched noise, After examining file with usual tools (binwalk, exiftool, strings,..etc) we found nothing so we should dig deeper.
Step 1: Analyze frames of wav file
Using the following code we could get frame values
Quick look at values the negative signals are all equal to -1000 while positive signals differs from each other but if subtract 1000 from the positive value it will give us values from 0 to 255 so it may be characters
Optimize the code to remove negative values -> subtract 1000 from positive values -> convert values to character -> redirect output to file.
Remeber to use python2 for more details search for the difference between chr() in python2 and python3
Step 2: Analyze output from code
start with running strings utility but returns nothing usefull, after looking at file it’s icon turned into compressed file icon, running file utility on the file returns it is a gz compressed file, uncompress it give us 5 different packets f100, f200, f300, f400, f500
Step 3: Analyzing packets
Looking at packets it contains just dns quieries with some base64 string each packet, so all we have to is to extract this strings decode it and get the output.
Using this command tshark -r >filename< -T fields -e dns.qry.name | sed ':a;N;$!ba;s/\n//g'
Step 4: Decoding outputs
Using base64 utility base64 -d filename we decoded the output and give us another wave file
Step 5: Getting flag
Going through usual process again of analysing wave file we found the flag using deepsoound tool inside an image called flag.jpg